1 verification of global access control in large scale networks david m. nicol university of...
TRANSCRIPT
1
Verification of Global Access Control
in Large Scale Networks
David M. NicolUniversity of Illinois at Urbana-Champaign
CNLS 2010
Collaborators : Bill Sanders, Mouna Seri, Sankalp Singh, Ryan Kagin, Hamed Okhravi
2
Problem
Process Control networks are connected in enterprise systems
- Access controlled by configuring potentially many firewalls- Subtle errors are common- Best practices recommendations exist (e.g. NIST SP 800-82)
How can one express Best Practices as Global Access Policy in machine checkable form?
How can one detect violations of Global Access Policy?
3
Global Policy
Examples from NIST SP 800-82
Outbound packets from the control network or DMZ should be allowed only if those packets have a correct source IP address that’s assigned to the control network or DMZ devices.
Traffic should be prevented from transiting directly from the control network to the corporate network, and vice versa. All traffic should terminate in the DMZ.
Any protocol allowed between the control network and DMZ should explicitly not be allowed between the DMZ and corporate networks (and vice versa).
X
May be installation specific rules, e.g., availability of services
4
Global PolicyDefine global names for sets of hosts, sets of subnets, sets of
protocols, ports, etc. Define global policy like a system-wide firewall
Traffic should be prevented from transiting directly from the control network to the corporate network, and vice versa. All traffic should terminate in the DMZ.
DMZ2
example
PCS
Src(PCS) allow Dst(DMZ2)Src(PCS) allow Dst(PCS)
Corporate
Src(Corporate) allow Dst(Corporate)Src(Corporate) allow Dst(DMZ2)
5
Global Policy Conflict Resolution
DMZ2
Example : conflict resolution
PCS
Src(PCS) deny Dst(PCS)
Src(EMS) allow Dst(data historian)
Try to resolve conflicts using Rule of Greatest Specificity– Other conflicts reported to user
conflict
Corporate
Src(Corporate) allow Dst(Corporate)Src(Corporate) allow Dst(DMZ2)
6
History
The Network Access Policy Toolset (NetAPT) developed under I3P and DOE support
– Started with focus on compliance checking– Transitioning to industry…hence best practices question
NetAPTArchitecture
7
Topology Inference
Firewall configurations contain elements of connectivity info• CIDR descriptions of sub-networks facing FW interfaces• “route” statements• VPN descriptions
NetAPT topology inference engine based on SNL “Antfarm” tool
Database-based approach that “grows” knowledge of topology out from the elemental connectivity data
126.18.36.80/25 126.18.00.80/25
8
Topology Inference
Firewall configurations contain elements of connectivity info• CIDR descriptions of subnetworks facing FW interfaces• “route” statements• VPN descriptions
NetAPT topology inference engine based on SNL “Antfarm” tool
Database-based approach that “grows” knowledge of topology out from the elemental connectivity data
126.18.00.80/25
126.18.02.80/25
126.18.36.80/25 126.18.00.80/25
9
Topology Inference
Firewall configurations contain elements of connectivity info• CIDR descriptions of subnetworks facing FW interfaces• “route” statements• VPN descriptions
NetAPT topology inference engine based on SNL “Antfarm” tool
Database-based approach that “grows” knowledge of topology out from the elemental connectivity data
126.18.02.80/25126.18.36.80/25 126.18.00.80/25
10
Topology Inference
Firewall configurations contain elements of connectivity info• CIDR descriptions of subnetworks facing FW interfaces• “route” statements• VPN descriptions
NetAPT topology inference engine based on SNL “Antfarm” tool
Database-based approach that “grows” knowledge of topology out from the elemental connectivity data
126.2.48.80/25 126.18.02.80/25
VPN tunnel 126.2.48.95.0
11
Topology Inference
Firewall configurations contain elements of extant host IP addresses
– “name” statements– ACL, object group, and other statements that refer
directly to a host IP address
Discovered networks populated with discovered host IDs
1212
Network Architecture Possible Network Layer Rule Graph
Proxy server
Heart of Analysis : Rule Graph
Analysis based on identifying paths through “rule graph”• Each hop in path corresponds to “policy implementation”
13
At the core : connectivity map
NetAPT discovers every path possible between every pair of subnetworks (including every pair of devices in specific network of interest)
– Graph edge labeling problem, multi-dimensional labels identify flows admitted by a firewall rule (source), and have policy applied by another firewall rule (destination)
– Each execution of local policy at a FW checked against global policy
Knowledge of all flows that can reach a critical asset extremely useful
14
NetAPT - Prototype
15
NetAPT - Prototype
16
NetAPT - Prototype
17
Validation in industrial setting
We are working closely with an electric utility– Core network analyzed : 10 firewalls (thousands of rules
each), 500 devices– VPN tunnels, hot backups– NetAPT topology discovery validated– Execution time : 30 mins topology discovery, 20 minutes
connectivity map on ordinary PC
Used in NERC-CIP compliance assessment, spring 2010
Transitioning to daily network observation / maintenance / training role
“incremental” global policy development support
18
Network analysis is limited
Network connectivity analysis considers only direct connections
Attacks typically “hop” between compromised hosts
19
Network analysis is limited
Network connectivity analysis considers only direct connections
Attacks typically “hop” between compromised hosts
20
Network analysis is limited
Network connectivity analysis considers only direct connections
Attacks typically “hop” between compromised hosts
21
Network analysis is limited
Network connectivity analysis considers only direct connections
Attacks typically “hop” between compromised hosts
22
Network analysis is limited
Network connectivity analysis considers only direct connections
Attacks typically “hop” between compromised hosts
23
Network analysis is limited
Network connectivity analysis considers only direct connections
Attacks typically “hop” between compromised hosts
24
Refine the trust base
Access control framework in hosts may mitigate attacker’s ability to hop– Separation kernel, strong host-based policies
Example : SeLinux– Extensive control over processes’ abilities to
read/write files– Extensive control over processes’ ability to
connect to network
Challenge : integrate host-based access control with network connectivity map– Find only possible pathways for potential attacks
• Assuming OS access control is uncompromised
25
SeLinux
SeLinux – three layers of protection mechanisms– Type enforcement
• Objects have types (e.g., “port”), attributes, rules declared access rights as a function of these, e.g.
allow httpd_t port_type : tcp_socket recv_msg;Means http_t can receive messages on all TCP sockets
that have attribute port_type• Type transitions may be declared
– Role-based Access Control• Roles declared for processes, access declared as a
function of role and types• Role transitions may be declared
– Users• Mapped to roles
26
SELAC
SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets
Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions
We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q?
host
p
27
SELAC
SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets
Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions
We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q?
host
p
28
SELAC
SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets
Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions
We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q?
host
p
29
SELAC
SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets
Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions
We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q?
host
p
30
SELAC
host
p
q
SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets
Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions
We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q?
31
SELAC
host
p
q
SELAC model (Zanin and Mancini,2004) provides a formalism to define accessibility sets
Loosely, for every subject, what objects does it potentially have access to (and access type), allowing for all possible transitions
We can use this to answer the question “Does a subject that can read port p ultimately also allow for a write to port q?
32
Integrated Host and Network Access Control
On each SeLinux host compute accessibility sets• Establishes connectivity between ports on the
same hostCompute network connectivity map
• Establishes connectivity between ports on different hosts
Imagine a graph with two types of nodes : subject, port
Edges : subject to port (on host), port to port (from above)
• Each subject has initial accessibility set
Transitive closure of graph identifies for every subject, other subjects and objects it can reach through network
33
I’m crazy, right?
Stock SeLinux configuration “out of the box” has 250,000 rules
But (with optimizations) on-host accessibility sets were computed in approximately 5 minutes
Network connectivity time depends on depth of network graph, for this example (10 switched hosts), 2 secs.
Convolution algorithm ran in under 1 sec.
Maybe I’m not crazy after all….
But I know my combinatorics, deep complex networks lead to very large run-times….intelligent sampling….
34
Summary
NetAPT helps to address the problem of verifying that PCS systems adhere to global policy encoding best practices
Being validated by, and is in transition for use by a major electric utility